Systems and methods for dynamically identifying illegitimate accounts based on rules

ABSTRACT

Systems, methods, and non-transitory computer-readable media can receive a set of accounts associated with a specified time frame. One or more features and one or more feature combinations can be analyzed for each account in the set. Feature metrics for the one or more features and the one or more feature combinations can be determined for each account in the set. Threshold values for the feature metrics can be acquired. At least one rule can be implemented based on at least some of the feature metrics and at least some of the threshold values.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.14/529,713, filed on Oct. 31, 2014 and entitled “SYSTEMS AND METHODS FORDYNAMICALLY IDENTIFYING ILLEGITIMATE ACCOUNTS BASED ON RULES”, which isincorporated herein by reference.

FIELD OF THE INVENTION

The present technology relates to identifying illegitimate accounts.More particularly, the present technology relates to techniques fordynamically identifying illegitimate accounts based on rules.

BACKGROUND

Today, people often interact with networked environments or onlineservices. Many users of computing devices (or systems) frequently browseweb sites, access online media content, or otherwise use networkservices. Users with access to the Internet can perform online shopping,watch streaming movies, download software, utilize social networkingservices, and accomplish many other tasks. In one example, users of asocial networking service or system can publish advertisements, purchaseapplications, give gifts, distribute promotions, or conduct variousother transactions. Sometimes, an illegitimate user can attempt topublish illegitimate (e.g., fraudulent, fake, illegal, etc.)advertisements or conduct other illegitimate actions. In anotherexample, users can provide their payment information (e.g., credit cardinformation, bank account information) to an online service in order tofund various online activities. However, occasionally, an illegitimateuser can attempt to illegitimately gain access to a legitimate user'spayment information or otherwise compromise the legitimate user'saccount with the online service.

Accordingly, when a user of an online service, such as a socialnetworking system, participates in various activities that involve theuse of financial instruments compatible or operable with the onlineservice, the financial instruments of the user can sometimes be stolen,illegitimately used, or otherwise compromised. These and other similarconcerns can reduce the overall user experience associated with usingonline services.

SUMMARY

Various embodiments of the present disclosure can include systems,methods, and non-transitory computer readable media configured toreceive a set of accounts associated with a specified time frame. One ormore features and one or more feature combinations can be analyzed foreach account in the set. Feature metrics for the one or more featuresand the one or more feature combinations can be determined for eachaccount in the set. Threshold values for the feature metrics can beacquired. At least one rule can be implemented based on at least some ofthe feature metrics and at least some of the threshold values.

In an embodiment, an unidentified account absent from the set ofaccounts can be received. It can be determined that the unidentifiedaccount is associated with the one or more features and the one or morefeature combinations. One or more assessment metrics can be calculatedbased at least in part on the feature metrics determined for eachaccount in the set. The unidentified account can be identified as beingillegitimate, based on the at least one rule, when the one or moreassessment metrics satisfy the at least some of the threshold values.

In an embodiment, the one or more assessment metrics can be associatedwith at least one of a ratio of a number of manually disabled newaccounts relative to a number of disabled new accounts, a number of newaccounts, or a ratio of the number of disabled new accounts relative tothe number of new accounts.

In an embodiment, the threshold values for the feature metrics caninclude a first threshold value, a second threshold value, and a thirdthreshold value. The first threshold value can be associated with theratio of the number of manually disabled new accounts relative to thenumber of disabled new accounts. The second threshold value can beassociated with the number of new accounts. The third threshold valuecan be associated with the ratio of the number of disabled new accountsrelative to the number of new accounts.

In an embodiment, the first threshold value can correspond to 0.75. Insome cases, the second threshold value can correspond to 8. In someinstances, the third threshold value can correspond to 0.75.

In an embodiment, the set of accounts can correspond to a set ofadvertiser accounts.

In an embodiment, the one or more features can be associated with atleast one of an advertisement title, an advertisement image, anadvertisement landing page identifier, a social networking systemidentifier for an advertisement landing page component, an advertisementbody text portion, an advertisement landing page domain, a sourceinternet protocol (IP), a credit card identification number, a latestadministered page name, a campaign name, a user agent, or anadvertisement image identifier.

In an embodiment, at least one of the one or more feature combinationscan be associated with a default source country, a campaign currency,and a credit card identification number.

In an embodiment, the threshold values for the feature metrics caninclude a first set of threshold values and a second set of thresholdvalues. In some cases, threshold values in the first set can be higherthan threshold values in the second set. In some instances, the firstset of threshold values can be associated with automaticallydisablement. In some cases, the second set of threshold values can beassociated with manual review.

In an embodiment, the feature metrics determined for each account in theset can be updated daily.

It should be appreciated that many other features, applications,embodiments, and/or variations of the disclosed technology will beapparent from the accompanying drawings and from the following detaileddescription. Additional and/or alternative implementations of thestructures, systems, non-transitory computer readable media, and methodsdescribed herein can be employed without departing from the principlesof the disclosed technology.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example system including an example dynamicidentification rule module configured to facilitate dynamicallyidentifying illegitimate accounts based on rules, according to anembodiment of the present disclosure.

FIG. 2 illustrates an example feature module configured to facilitatedynamically identifying illegitimate accounts based on rules, accordingto an embodiment of the present disclosure.

FIG. 3 illustrates an example rule module configured to facilitatedynamically identifying illegitimate accounts based on rules, accordingto an embodiment of the present disclosure.

FIG. 4A illustrates an example method associated with dynamicallyidentifying illegitimate accounts based on rules, according to anembodiment of the present disclosure.

FIG. 4B illustrates an example method associated with dynamicallyidentifying illegitimate accounts based on rules, according to anembodiment of the present disclosure.

FIG. 5 illustrates an example system including an example dynamic modelthreshold module configured to facilitate dynamically selecting modelthresholds for identifying illegitimate accounts, according to anembodiment of the present disclosure.

FIG. 6 illustrates an example metrics module configured to facilitatedynamically selecting model thresholds for identifying illegitimateaccounts, according to an embodiment of the present disclosure.

FIG. 7 illustrates an example criteria module configured to facilitatedynamically selecting model thresholds for identifying illegitimateaccounts, according to an embodiment of the present disclosure.

FIG. 8A illustrates an example method associated with dynamicallyselecting model thresholds for identifying illegitimate accounts,according to an embodiment of the present disclosure.

FIG. 8B illustrates an example method associated with dynamicallyselecting model thresholds for identifying illegitimate accounts,according to an embodiment of the present disclosure.

FIG. 9 illustrates a network diagram of an example system that can beutilized in various scenarios, according to an embodiment of the presentdisclosure.

FIG. 10 illustrates an example of a computer system that can be utilizedin various scenarios, according to an embodiment of the presentdisclosure.

The figures depict various embodiments of the disclosed technology forpurposes of illustration only, wherein the figures use like referencenumerals to identify like elements. One skilled in the art will readilyrecognize from the following discussion that alternative embodiments ofthe structures and methods illustrated in the figures can be employedwithout departing from the principles of the disclosed technologydescribed herein.

DETAILED DESCRIPTION

Dynamically Identifying Illegitimate Accounts Based on Rules

People often conduct transactions or engage in activities that involvethe use of financial instruments, such as credit cards, bank accounts,electronic or digital payment services, etc. When users of computingdevices utilize financial instruments in a networked environment (e.g.,Internet, cellular data network, online service, social networkingsystem, etc.), the users must often provide information about theirfinancial instruments. In some cases, illegitimate or fraudulent userscan attempt to steal information about the financial instruments oflegitimate online service users. In some cases, an illegitimate user canattempt to link a stolen financial instrument with a legitimate user'sonline service account.

Furthermore, in some instances, illegitimate users can attempt to createaccounts with social networking systems or services and utilize thoseaccounts to conduct illegitimate activities within the social networkingsystems. For example, an illegitimate user can create a plurality ofaccounts with a social networking system in hopes that at least someaccounts will be able to successfully publish one or more illegitimateadvertisements.

Conventional approaches to identifying illegitimate accounts (or users,activities, transactions, events, and/or other incidents, etc.)generally utilize rules or policies to target specific illegitimateschemes that have particular trends, patterns, properties, traits, orcharacteristics in common. However, illegitimate accounts or users canattempt to shift away from those schemes and utilize different schemes,in order to proceed undetected by those rules or policies. As such,conventional approaches can often times be ineffective and inefficient.

Therefore, an improved approach to identifying potentially illegitimateaccounts (or users, activities, transactions, events, and/or otherincidents, etc.) can be beneficial for addressing or alleviating variousconcerns associated with conventional approaches. The disclosedtechnology can dynamically identify illegitimate accounts based onrules. Various embodiments of the present disclosure can receive a setof accounts associated with a specified time frame. One or more featuresand one or more feature combinations can be analyzed for each account inthe set. Feature metrics for the one or more features and the one ormore feature combinations can be determined for each account in the set.Threshold values for the feature metrics can be acquired. At least onerule can be implemented based on at least some of the feature metricsand at least some of the threshold values. It is contemplated that therecan be many variations and/or other possibilities.

FIG. 1 illustrates an example system 100 including an example dynamicidentification rule module 102 configured to facilitate dynamicallyidentifying illegitimate accounts based on rules, according to anembodiment of the present disclosure. As shown in the example of FIG. 1,the dynamic identification rule module 102 can include an accountreceiving module 104, a feature module 106, a threshold value module108, and a rule module 110. In some instances, the example system 100can also include a risk system 120 and at least one data store 122. Thecomponents (e.g., modules, elements, etc.) shown in this figure and allfigures herein are exemplary only, and other implementations may includeadditional, fewer, integrated, or different components. Some componentsmay not be shown so as not to obscure relevant details.

In some embodiments, the dynamic identification rule module 102 can beimplemented, in part or in whole, using software, hardware, or anycombination thereof. In general, a module as discussed herein can beassociated with software, hardware, or any combination thereof. In someimplementations, one or more functions, tasks, and/or operations ofmodules can be carried out or performed by software routines, softwareprocesses, hardware, and/or any combination thereof. In some cases, theexample dynamic identification rule module 102 can be implemented, inpart or in whole, as software running on one or more computing devicesor systems, such as on a user or client computing device. For example,the dynamic identification rule module 102 can be implemented as orwithin an application (e.g., app), a program, or an applet, etc.,running on a user computing device or client computing system. Inanother example, the dynamic identification rule module 102 can beimplemented using one or more computing devices or systems that includeone or more servers, such as network servers or cloud servers. In somecases, the dynamic identification rule module 102 can, in part or inwhole, be implemented within or configured to operate with the risksystem 120. In some instances, the dynamic identification rule module102 can, in part or in whole, be implemented within or configured tooperate with a social networking system (or service), such as the socialnetworking system 930 of FIG. 9. It should be understood that manyvariations are possible.

The account receiving module 104 can be configured to facilitatereceiving a set of accounts associated with a specified time frame. Insome instances, the set of accounts can include online service accountsutilized for advertising at an online service. For example, the set ofaccounts can include social networking advertiser accounts used forpublishing advertisements at the social networking system or service. Insome implementations, the account receiving module 104 can communicateand operate with the risk system 120 and/or the at least one data store122 to acquire or receive the set of accounts associated with thespecified time frame. The specified time frame can correspond to variousdefined time periods, such as a period including the past 90 days orother suitable time frames. In one example, the set of accounts cancorrespond to all accounts in the risk system 120 and/or the data store122 over the last 90 days.

The feature module 106 can be configured to facilitate analyzing, foreach account in the set, one or more features and one or more featurecombinations. The feature module 106 can be further configured tofacilitate determining, for each account in the set, feature metrics forthe one or more features and the one or more feature combinations. Moredetails regarding the feature module 106 will be provided below withreference to FIG. 2.

The threshold value module 108 can be configured to facilitate acquiringthreshold values for the feature metrics. In some implementations, thethreshold value module 108 can be configured to acquire or determine thethreshold values for the feature metrics, such as by utilizing machinelearning or other computer-assisted techniques. In some embodiments, thethreshold values can be determined via research, development, and/orexperimentation. For example, manual effort can assist in calculating ordetermining the threshold values, which can be acquired or received bythe threshold value module 108. The threshold values for the featuremetrics will be discussed in more detail below.

The rule module 110 can be configured to facilitate implementing atleast one rule for dynamically identifying accounts as beingillegitimate. In some instances, the at least one rule can be based onat least some of the feature metrics and at least some of the thresholdvalues. The rule module 110 will be described in more detail below withreference to FIG. 3.

Furthermore, as shown in FIG. 1, the example system 100 can include therisk system 120. The risk system 120 can be configured to facilitatevarious tasks and operations associated with managing risk. For example,the risk system 120 can be utilized by an online service. The risksystem 120 can generate and/or implement one or more rules (or policies)to identify accounts or activities that are likely to be illegitimate.As discussed, the dynamic identification rule module 102 can beconfigured to communicate or operate with the risk system 120. In someembodiments, the dynamic identification rule module 102 can beimplemented or can reside within the risk system 120. In some instances,the dynamic identification rule module 102 can be implemented separatelyfrom the risk system 120, such as in the form of a component, layer, orframework in addition to the risk system 120. It should be appreciatedthat many variations are possible.

Moreover, the at least one data store 122 can be configured tocommunicate or operate with the dynamic identification rule module 102and/or with the risk system 120. The at least one data store 122 can beconfigured to store and maintain various types of data. In someimplementations, the at least one data store 122 can store informationassociated with the social networking system (e.g., the socialnetworking system 930 of FIG. 9). The information associated with thesocial networking system can include data about accounts, users, socialconnections, social interactions, maps, locations, geo-fenced areas,places, events, groups, posts, communications, content, accountsettings, privacy settings, a social graph, and various other types ofdata. In some implementations, the at least one data store 122 can storeinformation associated with users, such as user identifiers, userinformation, user specified settings, content produced by users, andvarious other types of user data. In some embodiments, the at least onedata store 122 can store information associated with the risk system120, such as data associated with various online service accounts and/oractivities. In some embodiments, the at least one data store 122 can beimplemented with or within the risk system 120.

In one example, the account receiving module 104 of the dynamicidentification rule module 102 can receive, from the risk system 120and/or the data store 122, a set of accounts over the past 90 days. Thedynamic identification rule module 102 can utilize the feature module106 to access and/or analyze certain features and feature combinationsassociated with each account in the set of accounts. One of the featurecombinations can include, for example, a particular feature combinationassociated with a default source country, a campaign currency, and acredit card identification number. Many other features and featurecombinations can be utilized as well, but are not discussed in thisexample for the sake of brevity.

Continuing with the example, based on accessing and/or analyzing theparticular feature combination, feature metrics for the particularfeature combination can be determined. The feature metrics for theparticular feature combination can correspond to statistical informationor values associated with the particular feature combination. In thisexample, the feature metrics for the particular feature combination canindicate how many accounts in the set have a particular instance orarrangement of default source country, campaign currency, and creditcard identification number. The feature metrics for the particularfeature combination can also indicate how many accounts with theparticular instance have been disabled in the risk system 120 and howmany of the disabled accounts were manually disabled. Based, in part, onthe feature metrics, the rule module 110 can implement at least one rulefor dynamically identifying accounts as being illegitimate. In someinstances, the at least one rule can also be based on at least somethreshold values acquired by the threshold value module 108.

In this example, the at least one rule can specify that an unidentifiedaccount, associated with the particular instance or arrangement ofdefault source country, campaign currency, and credit cardidentification number, is to be identified as being illegitimate whencertain conditions are met. Such conditions can be met when a number ofmanually disabled new accounts with the particular instance divided by anumber of disabled new accounts with the particular instance at leastmeets a first threshold value (e.g., 0.75 or other suitable value), whena number of new accounts with the particular instance at least meets asecond threshold value (e.g., 8 or other suitable value), and when thenumber of disabled new accounts with the particular instance divided bya number of new accounts with the particular instance at least meets athird threshold value (e.g., 0.75 or other suitable value).

Accordingly, in this example, when the number of illegitimate accountshaving the particular instance increases, the number of manuallydisabled accounts with the particular instance can also increase,thereby causing the at least one rule to be triggered as the thresholdsare satisfied and to identify accounts (including the unidentifiedaccount) with the particular instance as being illegitimate. Conversely,when the number of illegitimate accounts having the particular instancedecreases, the number of manually disabled accounts can also decrease,thereby causing the threshold values to be unsatisfied and stopping theat least one rule from identifying accounts (including the unidentifiedaccount) with the particular instance as being illegitimate. As such,the at least one rule can dynamically identify accounts as beingillegitimate.

FIG. 2 illustrates an example feature module 202 configured tofacilitate dynamically identifying illegitimate accounts based on rules,according to an embodiment of the present disclosure. In someembodiments, the feature module 106 of FIG. 1 can be implemented as theexample feature module 202. As shown in FIG. 2, the example featuremodule 202 can include a feature analysis module 204 and a featuremetrics module 206.

As discussed above, a set of accounts associated within a specified timeframe can be received. The feature analysis module 204 can be configuredto access and analyze, for each account in the set, one or more featuresand one or more feature combinations. In some instances, features cangenerally refer to properties, traits, characteristics, and/or otherinformation associated with accounts. For example, features can beassociated with at least one of an advertisement title, an advertisementimage, an advertisement landing page identifier, a social networkingsystem identifier for an advertisement landing page component, anadvertisement body text portion, an advertisement landing page domain, asource internet protocol (IP), a credit card identification number, alatest administered page name, a campaign name, a user agent, or anadvertisement image identifier. It is contemplated that there can bemany variations and other possibilities.

Moreover, feature combinations can generally refer to a collection, set,or other combination of multiple features. The one or more featurecombinations can be based on any combination of the one or more featuresas well as other suitable features. In one example, at least one of theone or more feature combinations can be associated with a default sourcecountry, a campaign currency, and a credit card identification number.Again, many variations are possible.

In one example, the feature analysis module 204 can analyze, for arespective account in the received set, a feature combination associatedwith default source country, campaign currency, and credit cardidentification number. The feature analysis module 204 can determinethat the respective account has a default source country featureassociated with Great Britain, a campaign currency feature associatedwith U.S. Dollars (USD), and a credit card identification number featureassociated with 123456.

Moreover, the feature metrics module 206 can be configured to determine,for each account in the received set, feature metrics for the one ormore features and the one or more feature combinations. Feature metricscan generally refer to statistics, values, performance metrics, or othersimilar types of information associated with the one or more featuresand the one or more feature combinations. In some embodiments, thefeature metrics module 206 can determine the feature metrics for aparticular feature or feature combination by inputting the particularfeature or feature combination into a statistical mechanism whichoutputs the feature metrics.

In some instances, the feature metrics for a respective particularfeature or feature combination can indicate how many accounts in thereceive set have the particular feature or feature combination (i.e., aparticular feature or feature combination instance). The feature metricsfor the particular feature or feature combination can also indicate howmany accounts with the particular feature or feature combination havebeen disabled, as well as how many of the disabled accounts weremanually disabled. There can be numerous other possibilities as well.Moreover, in some implementations, the feature metrics determined foreach account in the set can be updated daily or at other suitable times.

In some embodiments, the feature metrics for the one or more featuresand the one or more feature combinations can include, but are notlimited to, at least one of a number of old accounts (e.g., over thepast 90 days relative to yesterday) associated with the one or morefeatures and the one or more feature combinations, a number of newaccounts (e.g., over the past 90 days relative to today) associated withthe one or more features and the one or more feature combinations, adifference between the number of old accounts and the number of newaccounts, a number of disabled old accounts, a number of disabled newaccounts, a difference between the number of disabled old accounts andthe number of disabled new accounts, a number of manually disabled oldaccounts, a number of manually disabled new accounts, a differencebetween the number of manually disabled old accounts and the number ofmanually disabled new accounts, a number of old accounts queued (e.g.,for manual review), a number of new accounts queued, a differencebetween the number of old accounts queued and the number of new accountsqueued, a number of old accounts automatically actioned (e.g.,automatically disabled, blocked, or stopped, etc.), a number of newaccounts automatically actioned, or a difference between the number ofold accounts automatically actioned and the number of new accountsautomatically actioned. It is contemplated that there can be manyvariations.

FIG. 3 illustrates an example rule module 302 configured to facilitatedynamically identifying illegitimate accounts based on rules, accordingto an embodiment of the present disclosure. In some embodiments, therule module 110 of FIG. 1 can be implemented as the example rule module302. As shown in FIG. 3, the example rule module 302 can utilize featuremetrics 304, assessment metrics 306, and threshold values 308.

The rule module 302 can implement at least one rule for dynamicallyidentifying accounts as being illegitimate. In some cases, the at leastone rule can be based on at least some feature metrics 304 and at leastsome threshold values 308. In some implementations, the feature metrics304 can be determined or acquired by the feature module 106 of FIG. 1,and the threshold values can be determined or acquired by the thresholdvalue module 108 of FIG. 1. In some embodiments, the at least one rulecan be generated, developed, and/or created utilizing, at least in part,machine-learning and/or other computer-assisted techniques. In someembodiments, the at least one rule can be generated, developed, and/orcreated based, at least in part, on manual effort.

As discussed previously, the at least one rule can be based on thefeature metrics 304. In some instances, one or more assessment metrics306 can be determined, calculated, and/or derived from the featuremetrics 304 and the at least one rule can be based on the assessmentmetrics 306. In one example, the at least one rule can be associatedwith a particular feature combination of default source country,campaign currency, and credit card identification number (i.e., aparticular instance, arrangement, or grouping of the particular featurecombination). The feature metrics 304 for the particular featurecombination can include, but are not limited to, a number of manuallydisabled new accounts having the particular feature combination, anumber of disabled new accounts having the particular featurecombination, and a number of new accounts having the particular instancecombination. In the example, the one or more assessment metrics 306 canbe associated with at least one of a ratio of the number of manuallydisabled new accounts having the particular feature combination relativeto the number of disabled new accounts having the particular featurecombination, the quantity or number of new accounts having theparticular feature combination, or a ratio of the number of disabled newaccounts having the particular feature combination relative to thenumber of new accounts having the particular feature combination.

As discussed previously, the at least one rule can also be based on thethreshold values 308. Continuing with the previous example, thethreshold values 308 can include a first threshold value, a secondthreshold value, and a third threshold value. The first threshold valuecan be associated with the ratio of the number of manually disabled newaccounts relative to the number of disabled new accounts. The secondthreshold value can be associated with the quantity or number of newaccounts. The third threshold value can be associated with the ratio ofthe number of disabled new accounts relative to the number of newaccounts. In this example, the first threshold value can correspond to0.75. The second threshold value can correspond to 8. The thirdthreshold value can correspond to 0.75. It is understood that manyvariations and threshold values are possible.

In some embodiments, the threshold values 308 can be determined orotherwise acquired based on computer-assisted techniques and/or manualeffort. In some implementations, the threshold values 308 can include afirst set of threshold values and a second set of threshold values. Thethreshold values in the first set can be higher than threshold values inthe second set. The first set of threshold values can, for example, beassociated with automatically disablement, such that the at least onerule automatically disables accounts with a particular feature orfeature combination when the first set of threshold values are met. Thesecond set of threshold values can, for example, be associated withmanual review, such that the at least one rule causes accounts with aparticular feature or feature combination to be queued for manual reviewwhen the second set of threshold values are met but the first set ofthreshold values are not. Again, many variations are possible.

FIG. 4A illustrates an example method 400 associated with dynamicallyidentifying illegitimate accounts based on rules, according to anembodiment of the present disclosure. It should be appreciated thatthere can be additional, fewer, or alternative steps performed insimilar or alternative orders, or in parallel, within the scope of thevarious embodiments unless otherwise stated.

At block 402, the example method 400 can receive a set of accountsassociated with a specified time frame. At block 404, the example method400 can analyze, for each account in the set, one or more features andone or more feature combinations. At block 406, the example method 400can determine, for each account in the set, feature metrics for the oneor more features and the one or more feature combinations. At block 408,the example method 400 can acquire threshold values for the featuremetrics. At block 410, the example method 400 can implement at least onerule for dynamically identifying accounts as being illegitimate. In someinstances, the at least one rule can be based on at least some of thefeature metrics and at least some of the threshold values.

FIG. 4B illustrates an example method 450 associated with dynamicallyidentifying illegitimate accounts based on rules, according to anembodiment of the present disclosure. Again, it should be understoodthat there can be additional, fewer, or alternative steps performed insimilar or alternative orders, or in parallel, within the scope of thevarious embodiments unless otherwise stated.

At block 452, the example method 450 can receive an unidentified accountabsent from the set of accounts. At block 454, the example method 450can determine that the unidentified account is associated with the oneor more features and the one or more feature combinations. At block 456,the example method 450 can calculate, based at least in part on thefeature metrics determined for each account in the set, one or moreassessment metrics. At block 458, the example method 450 can identifythe unidentified account as being illegitimate, based on the at leastone rule, when the one or more assessment metrics satisfy the at leastsome of the threshold values.

In some embodiments, various embodiments of the present disclosure canbe configured to facilitate identifying illegitimate accounts, users,activities, transactions, events, and various other incidents. It iscontemplated that there can be many other uses, applications, and/orvariations associated with the various embodiments of the presentdisclosure.

Dynamically Selecting Model Thresholds for Identifying IllegitimateAccounts

In some instances, identifying illegitimate accounts (or users,activities, transactions, events, and/or other incidents, etc.) canutilize one or more models within a risk system. Under conventionalapproaches, the one or more models within the risk system can be trainedbased on given, known, or labeled data. The training can define or setmodel thresholds for the models. A given model can analyze unidentifiedaccounts (or users, activities, transactions, events, and/or otherincidents, etc.) and calculate model scores for the unidentifiedaccounts. If the model scores for the unidentified accounts satisfy themodel threshold that has been set for the given model, then theunidentified accounts can be identified as being illegitimate and becomedisabled.

However, under conventional approaches, the model thresholds fortriggering identification of accounts as being illegitimate cansometimes be set slightly too high, such that a significant amount ofillegitimate accounts are sometimes undetected because they are slightlybelow the model thresholds. Also, under conventional approaches, themodel thresholds for triggering identification of accounts as beingillegitimate can sometimes be slightly too low, such that a significantamount of legitimate accounts are sometimes misidentified (i.e., falsepositive accounts) as being illegitimate or unnecessarily classified asrequiring manual review because they are slightly above the modelthresholds. Thus, conventional approaches can sometimes be inefficientand insufficiently effective.

Therefore, an improved approach to utilizing models to identifypotentially illegitimate accounts can be beneficial for addressing oralleviating various concerns associated with conventional approaches.The disclosed technology can dynamically select model thresholds foridentifying illegitimate accounts. Various embodiments of the presentdisclosure can determine a plurality of model scores for a set ofaccounts. Each model score in the plurality of model scores can beassociated with at least one account in the set of accounts. Theplurality of model scores can be ranked in descending order. One or moremetrics can be determined for each model score in the plurality of modelscores based on information about the at least one account associatedwith each model score. Specified criteria for selecting a modelthreshold utilized in identifying illegitimate accounts can be acquired.The specified criteria can be based on at least some of the one or moremetrics. The model threshold can be selected as corresponding to alowest ranked model score that satisfies the specified criteria. It iscontemplated that there can be many variations and/or otherpossibilities.

FIG. 5 illustrates an example system 500 including an example dynamicmodel threshold module 502 configured to facilitate dynamicallyselecting model thresholds for identifying illegitimate accounts,according to an embodiment of the present disclosure. As shown in theexample of FIG. 5, the dynamic model threshold module 502 can include amodel score module 504, a ranking module 506, a metrics module 508, acriteria module 510, and a selection module 512. In some instances, theexample system 500 can also include a risk system 520 and at least onedata store 522. In some embodiments, the risk system 520 can beimplemented as the risk system 120 of FIG. 1 and the at least one datastore 522 can be implemented as the at least one data store 122 or FIG.1.

In the example of FIG. 5, the dynamic model threshold module 502 can beimplemented, in part or in whole, using software, hardware, or anycombination thereof. In some cases, the dynamic model threshold module502 can, in part or in whole, be implemented within or configured tooperate with the risk system 520. In some instances, dynamic modelthreshold module 502 can, in part or in whole, be implemented within orconfigured to operate with a social networking system (or service), suchas the social networking system 930 of FIG. 9. Many variations arepossible.

The model score module 502 can be configured to determine a plurality ofmodel scores for a set of accounts. Each model score in the plurality ofmodel scores can be associated with at least one account in the set ofaccounts. A model score can generally indicate a likelihood that anassociated account (e.g., an account having the model score) is anillegitimate account. In some instances, a model score can correspond toa numeric value between 0 and 1, where a higher model score for anaccount indicates a higher likelihood that the account is illegitimate.In one example, the set of accounts can be accessed, received, orotherwise acquired from the risk system 520 and/or the data store 522.The model score module 502 can determine, calculate, receive, orotherwise acquire a model score for each account in the set of accounts.Occasionally, multiple accounts in the set can be determined to have thesame model score. In some implementations, the model score module 502can utilize one or more models in the risk system 520 to determine themodel score for each account.

In some implementations, there can be various models in the risk system520 for identifying illegitimate accounts. In some cases, the models cancorrespond to logistic regression models, gradient boosted tree models,and/or other similar models. The models can be trained based on known ortraining data. The training can produce at least one respective modelthreshold for each model. In one example, when an account is determined,based on a model, to have a model score surpassing the model thresholdfor the model, then the account can be identified as being illegitimate.In some cases, a particular model can be designed or intended for, andutilized in, identifying accounts associated with a particularillegitimate scheme. Illegitimate schemes can, for example, includecompromised fraud schemes, stolen financial instrument schemes, bankaccount fraud schemes, failed payment schemes, and/or various otherillegal or fraudulent schemes, etc.

The ranking module 506 can be configured to rank the plurality of modelscores in descending order. In one example, the plurality of modelscores have numeric values between 0 and 1, such that the ranking module506 can rank the model scores based on their numeric values. In someinstances, the ranking module 506 can rank the plurality of model scoresby sorting the models scores in descending order based on their values.In one example, each unique model score with a unique value, relative toother values associated with other model scores, is ranked, sorted, orordered with respect to the other model scores with the other values.

The metrics module 508 can be configured to determine or acquire one ormore metrics for each model score in the plurality of model scores basedon information about the at least one account associated with each modelscore. The one or more metrics for each (unique) model score caninclude, but are not limited to, statistics, properties,characteristics, and/or various other information related to the atleast one account associated with each model score. More detailsregarding the metrics module 508 will be provided below with referenceto FIG. 6.

Moreover, the criteria module 510 can be configured to acquire specifiedcriteria for selecting a model threshold utilized in identifyingillegitimate accounts. In some instances, the specified criteria can bebased on at least some of the one or more metrics. The criteria module510 will be described in more detail below with reference to FIG. 7.

Furthermore, the selection module 512 can be configured to select themodel threshold as corresponding to a lowest ranked model score thatsatisfies the specified criteria. The selecting of the model thresholdcan be dynamic, for example, in that the selecting of the modelthreshold is based on the lowest ranked model score, which in turn isfurther based on the ranking of the plurality of model scores. As such,when new accounts are present, the ranking of the model scores canchange. When the ranking of the model scores changes, the selecting ofthe model threshold can be adjusted accordingly, thereby resulting inthe dynamic selection of the model threshold. Additionally oralternatively, when the specified criteria changes, the selecting of themodel threshold can change as well, thereby contributing to the dynamicquality of the selection of the model threshold.

In some embodiments, the selecting of the model threshold can beinitiated based on at least one of a specified time frame trigger orfeedback information. In one example, the specified time trigger framecan include a daily trigger. The daily trigger can cause the pluralityof model scores for the set of accounts to be updated daily. In somecases, the model scores and/or the set of accounts can change from dayto day. This can affect, on a daily basis, the ranking of the modelscores, the determining of the one or more metrics, and/or the specifiedcriteria. As a result, the selecting of the model threshold can also beupdated daily (e.g., dynamically). Other time frame triggers can beutilized as well.

In another example, the feedback information can be associated with atleast one of an increase in false positive accounts surpassing anallowable false positive threshold or an increase in illegitimateaccount leakage surpassing an allowable illegitimate account leakagethreshold. In this example, when there are too many (e.g., surpassingthe allowable false positive threshold) false positive accountsidentified as candidates to be queued for manual review, the modelthreshold can be dynamically selected or adjusted to be lower, such thatthe model scores for these false positive accounts fall below the modelthreshold and thus are not queued for manual review. Also, when thereare too many (e.g., surpassing the allowable illegitimate accountleakage threshold) undetected illegitimate accounts, the model thresholdcan be dynamically selected or adjusted to be higher, such that themodel scores for these undetected illegitimate accounts can at leastmeet the model threshold and thus can be identified as beingillegitimate (and become automatically disabled, blocked, and/orstopped, etc.). Many variations are possible.

FIG. 6 illustrates an example metrics module 602 configured tofacilitate dynamically selecting model thresholds for identifyingillegitimate accounts, according to an embodiment of the presentdisclosure. In some embodiments, the metrics module 508 can beimplemented as the example metrics module 602. As shown in the exampleof FIG. 6, the metrics module 602 can include an account quantity module604, a disabled account quantity module 606, and an active accountquantity module 608.

The metrics module 602 can be configured to determine one or moremetrics for each model score in a plurality of model scores. In somecases, each model score can be associated with at least one account in aset of accounts. For example, a model in a risk system can be utilizedto calculate a model score for each account in the set. In someinstances, the determining of the one or more metrics can be based oninformation about the at least one account associated with each modelscore.

In some embodiments, the one or more metrics can be associated with arunning total quantity of accounts associated with each model score andall higher model scores. The account quantity module 604 can beconfigured to calculate, determine, or otherwise acquire the runningtotal quantity of accounts associated with each model score and allhigher model scores. In one example, if there are 0 accounts having amodel score of 1.00, 100 accounts having a model score of 0.99, and 200accounts having a model score of 0.98, then the account quantity module604 can determine the running total quantity of accounts associated withthe model score of 0.99 (and all higher model scores) as being 100accounts, and can determine the running total quantity of accountsassociated with the model score of 0.98 (and all higher model scores) asbeing 300 accounts, and so forth.

In some embodiments, the one or more metrics can be associated with arunning total quantity of disabled accounts associated with each modelscore and all higher model scores. The disabled account quantity module606 can be configured to calculate, determine, or otherwise acquire therunning total quantity of disabled accounts associated with each modelscore and all higher model scores. In one example, if there are 0disabled accounts having a model score of 1.00, 100 disabled accountshaving a model score of 0.99, and 199 disabled accounts having a modelscore of 0.98, then the disabled account quantity module 606 candetermine the running total quantity of disabled accounts associatedwith the model score of 0.99 (and all higher model scores) as being 100disabled accounts, and can determine the running total quantity ofdisabled accounts associated with the model score of 0.98 (and allhigher model scores) as being 299 disabled accounts, and so forth.

In some embodiments, the one or more metrics can be associated with arunning total quantity of active accounts associated with each modelscore and all higher model scores. The active account quantity module608 can be configured to calculate, determine, or otherwise acquire therunning total quantity of active accounts associated with each modelscore and all higher model scores. In one example, if there are 0 activeaccounts having a model score of 1.00, 0 active accounts having a modelscore of 0.99, and 1 active account having a model score of 0.98, thenthe active account quantity module 608 can determine the running totalquantity of active accounts associated with the model score of 0.99 (andall higher model scores) as being 0 active accounts, and can determinethe running total quantity of active accounts associated with the modelscore of 0.98 (and all higher model scores) as being 1 active account,and so forth.

Having determined the one or more metrics for each model score, criteriafor selecting a model threshold can be based on at least some of the oneor more metrics. It is contemplated that there can be many variations,applications, and other possibilities.

FIG. 7 illustrates an example criteria module 702 configured tofacilitate dynamically selecting model thresholds for identifyingillegitimate accounts, according to an embodiment of the presentdisclosure. In some embodiments, the criteria module 510 can beimplemented as the example criteria module 702. As shown in the exampleof FIG. 7, the criteria module 702 can include a precision rate module704, a recall rate module 706, and a false positive rate module 708.

As discussed above, the criteria module 702 can be configured tofacilitate acquiring specified criteria for selecting a model thresholdutilized in identifying illegitimate accounts. The specified criteriacan be based on at least some metrics for model scores. In someembodiments, the specified criteria can be associated with at least oneof a precision rate for identifying illegitimate accounts, a recall rateassociated with identifying illegitimate accounts, or a false positiverate associated with identifying illegitimate accounts. The precisionrate module 704 can determine, calculate, or acquire the precision ratefor identifying illegitimate accounts. In some cases, the precision ratefor identifying illegitimate accounts can be determined based on aquantity of disabled accounts divided by a quantity of total accounts.The recall rate module 706 can determine, calculate, or acquire therecall rate associated with identifying illegitimate accounts. In someinstances, the recall rate associated with identifying illegitimateaccounts can be determined based on a quantity of illegitimate accountsat or above a model threshold divided by a quantity of totalillegitimate accounts. The false positive rate module 708 can determine,calculate, or acquire the false positive rate associated withidentifying illegitimate accounts. In some cases, the false positiverate associated with identifying illegitimate accounts can be determinedbased on a quantity of active accounts at or above a model thresholddivided by a quantity of total active accounts.

Having acquired specified criteria for selecting a model threshold, themodel threshold can be selected to satisfy the specified criteria. Inone example, the specified criteria can require the false positive rateto have a maximum allowable value of 0.05%. As such, in this example,the model threshold is selected to satisfy the specified criteriarequiring the false positive rate to be at most 0.05%. Again, it iscontemplated that there can be many variations, applications, and otherpossibilities.

FIG. 8A illustrates an example method 800 associated with dynamicallyselecting model thresholds for identifying illegitimate accounts,according to an embodiment of the present disclosure. It should beappreciated that there can be additional, fewer, or alternative stepsperformed in similar or alternative orders, or in parallel, within thescope of the various embodiments unless otherwise stated.

At block 802, the example method 800 can determine a plurality of modelscores for a set of accounts. Each model score in the plurality of modelscores can be associated with at least one account in the set ofaccounts. At block 804, the example method 800 can rank the plurality ofmodel scores in descending order. At block 806, the example method 800can determine one or more metrics for each model score in the pluralityof model scores based on information about the at least one accountassociated with each model score. At block 808, the example method 800can acquire specified criteria for selecting a model threshold utilizedin identifying illegitimate accounts. In some cases, the specifiedcriteria can be based on at least some of the one or more metrics. Atblock 810, the example method 800 can select the model threshold ascorresponding to a lowest ranked model score that satisfies thespecified criteria.

FIG. 8B illustrates an example method 850 associated with dynamicallyselecting model thresholds for identifying illegitimate accounts,according to an embodiment of the present disclosure. Again, it shouldbe appreciated that there can be additional, fewer, or alternative stepsperformed in similar or alternative orders, or in parallel, within thescope of the various embodiments unless otherwise stated.

At block 852, the example method 850 can acquire a model score for anunidentified account. At block 854, the example method 850 can comparethe model score for the unidentified account with the model threshold.At block 856, the example method 850 can identify the unidentifiedaccount as being illegitimate when the model score for the unidentifiedaccount at least meets the model threshold. At block 858, the examplemethod 850 can automatically disable the unidentified account.

In some cases, a model score for an unidentified account can beacquired. The model score for the unidentified account can be comparedwith a second model threshold that is lower than the model threshold.The unidentified account can be submitted for manual review when themodel score for the unidentified account at least meets the second modelthreshold but fails to at least meet the model threshold.

In some embodiments, the second model threshold can be selected to havea precision rate for identifying illegitimate accounts that is 20% lowerthan the model threshold.

Again, it is contemplated that there can be many other uses,applications, and/or variations associated with the various embodimentsof the present disclosure. For example, various embodiments of thepresent disclosure can learn, improve, and/or be refined over time.

Social Networking System—Example Implementation

FIG. 9 illustrates a network diagram of an example system 900 that canbe utilized in various scenarios, in accordance with an embodiment ofthe present disclosure. The system 900 includes one or more user devices910, one or more external systems 920, a social networking system (orservice) 930, and a network 950. In an embodiment, the social networkingservice, provider, and/or system discussed in connection with theembodiments described above may be implemented as the social networkingsystem 930. For purposes of illustration, the embodiment of the system900, shown by FIG. 9, includes a single external system 920 and a singleuser device 910. However, in other embodiments, the system 900 mayinclude more user devices 910 and/or more external systems 920. Incertain embodiments, the social networking system 930 is operated by asocial network provider, whereas the external systems 920 are separatefrom the social networking system 930 in that they may be operated bydifferent entities. In various embodiments, however, the socialnetworking system 930 and the external systems 920 operate inconjunction to provide social networking services to users (or members)of the social networking system 930. In this sense, the socialnetworking system 930 provides a platform or backbone, which othersystems, such as external systems 920, may use to provide socialnetworking services and functionalities to users across the Internet.

The user device 910 comprises one or more computing devices that canreceive input from a user and transmit and receive data via the network950. In one embodiment, the user device 910 is a conventional computersystem executing, for example, a Microsoft Windows compatible operatingsystem (OS), Apple OS X, and/or a Linux distribution. In anotherembodiment, the user device 910 can be a device having computerfunctionality, such as a smart-phone, a tablet, a personal digitalassistant (PDA), a mobile telephone, etc. The user device 910 isconfigured to communicate via the network 950. The user device 910 canexecute an application, for example, a browser application that allows auser of the user device 910 to interact with the social networkingsystem 930. In another embodiment, the user device 910 interacts withthe social networking system 930 through an application programminginterface (API) provided by the native operating system of the userdevice 910, such as iOS and ANDROID. The user device 910 is configuredto communicate with the external system 920 and the social networkingsystem 930 via the network 950, which may comprise any combination oflocal area and/or wide area networks, using wired and/or wirelesscommunication systems.

In one embodiment, the network 950 uses standard communicationstechnologies and protocols. Thus, the network 950 can include linksusing technologies such as Ethernet, 702.11, worldwide interoperabilityfor microwave access (WiMAX), 3G, 4G, CDMA, GSM, LTE, digital subscriberline (DSL), etc. Similarly, the networking protocols used on the network950 can include multiprotocol label switching (MPLS), transmissioncontrol protocol/Internet protocol (TCP/IP), User Datagram Protocol(UDP), hypertext transport protocol (HTTP), simple mail transferprotocol (SMTP), file transfer protocol (FTP), and the like. The dataexchanged over the network 950 can be represented using technologiesand/or formats including hypertext markup language (HTML) and extensiblemarkup language (XML). In addition, all or some links can be encryptedusing conventional encryption technologies such as secure sockets layer(SSL), transport layer security (TLS), and Internet Protocol security(IPsec).

In one embodiment, the user device 910 may display content from theexternal system 920 and/or from the social networking system 930 byprocessing a markup language document 914 received from the externalsystem 920 and from the social networking system 930 using a browserapplication 912. The markup language document 914 identifies content andone or more instructions describing formatting or presentation of thecontent. By executing the instructions included in the markup languagedocument 914, the browser application 912 displays the identifiedcontent using the format or presentation described by the markuplanguage document 914. For example, the markup language document 914includes instructions for generating and displaying a web page havingmultiple frames that include text and/or image data retrieved from theexternal system 920 and the social networking system 930. In variousembodiments, the markup language document 914 comprises a data fileincluding extensible markup language (XML) data, extensible hypertextmarkup language (XHTML) data, or other markup language data.Additionally, the markup language document 914 may include JavaScriptObject Notation (JSON) data, JSON with padding (JSONP), and JavaScriptdata to facilitate data-interchange between the external system 920 andthe user device 910. The browser application 912 on the user device 910may use a JavaScript compiler to decode the markup language document914.

The markup language document 914 may also include, or link to,applications or application frameworks such as FLASH™ or Unity™applications, the SilverLight™ application framework, etc.

In one embodiment, the user device 910 also includes one or more cookies916 including data indicating whether a user of the user device 910 islogged into the social networking system 930, which may enablemodification of the data communicated from the social networking system930 to the user device 910.

The external system 920 includes one or more web servers that includeone or more web pages 922 a, 922 b, which are communicated to the userdevice 910 using the network 950. The external system 920 is separatefrom the social networking system 930. For example, the external system920 is associated with a first domain, while the social networkingsystem 930 is associated with a separate social networking domain. Webpages 922 a, 922 b, included in the external system 920, comprise markuplanguage documents 914 identifying content and including instructionsspecifying formatting or presentation of the identified content.

The social networking system 930 includes one or more computing devicesfor a social network, including a plurality of users, and providingusers of the social network with the ability to communicate and interactwith other users of the social network. In some instances, the socialnetwork can be represented by a graph, i.e., a data structure includingedges and nodes. Other data structures can also be used to represent thesocial network, including but not limited to databases, objects,classes, meta elements, files, or any other data structure. The socialnetworking system 930 may be administered, managed, or controlled by anoperator. The operator of the social networking system 930 may be ahuman being, an automated application, or a series of applications formanaging content, regulating policies, and collecting usage metricswithin the social networking system 930. Any type of operator may beused.

Users may join the social networking system 930 and then add connectionsto any number of other users of the social networking system 930 to whomthey desire to be connected. As used herein, the term “friend” refers toany other user of the social networking system 930 to whom a user hasformed a connection, association, or relationship via the socialnetworking system 930. For example, in an embodiment, if users in thesocial networking system 930 are represented as nodes in the socialgraph, the term “friend” can refer to an edge formed between anddirectly connecting two user nodes.

Connections may be added explicitly by a user or may be automaticallycreated by the social networking system 930 based on commoncharacteristics of the users (e.g., users who are alumni of the sameeducational institution). For example, a first user specifically selectsa particular other user to be a friend. Connections in the socialnetworking system 930 are usually in both directions, but need not be,so the terms “user” and “friend” depend on the frame of reference.Connections between users of the social networking system 930 areusually bilateral (“two-way”), or “mutual,” but connections may also beunilateral, or “one-way.” For example, if Bob and Joe are both users ofthe social networking system 930 and connected to each other, Bob andJoe are each other's connections. If, on the other hand, Bob wishes toconnect to Joe to view data communicated to the social networking system930 by Joe, but Joe does not wish to form a mutual connection, aunilateral connection may be established. The connection between usersmay be a direct connection; however, some embodiments of the socialnetworking system 930 allow the connection to be indirect via one ormore levels of connections or degrees of separation.

In addition to establishing and maintaining connections between usersand allowing interactions between users, the social networking system930 provides users with the ability to take actions on various types ofitems supported by the social networking system 930. These items mayinclude groups or networks (i.e., social networks of people, entities,and concepts) to which users of the social networking system 930 maybelong, events or calendar entries in which a user might be interested,computer-based applications that a user may use via the socialnetworking system 930, transactions that allow users to buy or sellitems via services provided by or through the social networking system930, and interactions with advertisements that a user may perform on oroff the social networking system 930. These are just a few examples ofthe items upon which a user may act on the social networking system 930,and many others are possible. A user may interact with anything that iscapable of being represented in the social networking system 930 or inthe external system 920, separate from the social networking system 930,or coupled to the social networking system 930 via the network 950.

The social networking system 930 is also capable of linking a variety ofentities. For example, the social networking system 930 enables users tointeract with each other as well as external systems 920 or otherentities through an API, a web service, or other communication channels.The social networking system 930 generates and maintains the “socialgraph” comprising a plurality of nodes interconnected by a plurality ofedges. Each node in the social graph may represent an entity that canact on another node and/or that can be acted on by another node. Thesocial graph may include various types of nodes. Examples of types ofnodes include users, non-person entities, content items, web pages,groups, activities, messages, concepts, and any other things that can berepresented by an object in the social networking system 930. An edgebetween two nodes in the social graph may represent a particular kind ofconnection, or association, between the two nodes, which may result fromnode relationships or from an action that was performed by one of thenodes on the other node. In some cases, the edges between nodes can beweighted. The weight of an edge can represent an attribute associatedwith the edge, such as a strength of the connection or associationbetween nodes. Different types of edges can be provided with differentweights. For example, an edge created when one user “likes” another usermay be given one weight, while an edge created when a user befriendsanother user may be given a different weight.

As an example, when a first user identifies a second user as a friend,an edge in the social graph is generated connecting a node representingthe first user and a second node representing the second user. Asvarious nodes relate or interact with each other, the social networkingsystem 930 modifies edges connecting the various nodes to reflect therelationships and interactions.

The social networking system 930 also includes user-generated content,which enhances a user's interactions with the social networking system930. User-generated content may include anything a user can add, upload,send, or “post” to the social networking system 930. For example, a usercommunicates posts to the social networking system 930 from a userdevice 910. Posts may include data such as status updates or othertextual data, location information, images such as photos, videos,links, music or other similar data and/or media. Content may also beadded to the social networking system 930 by a third party. Content“items” are represented as objects in the social networking system 930.In this way, users of the social networking system 930 are encouraged tocommunicate with each other by posting text and content items of varioustypes of media through various communication channels. Suchcommunication increases the interaction of users with each other andincreases the frequency with which users interact with the socialnetworking system 930.

The social networking system 930 includes a web server 932, an APIrequest server 934, a user profile store 936, a connection store 938, anaction logger 940, an activity log 942, and an authorization server 944.In an embodiment of the invention, the social networking system 930 mayinclude additional, fewer, or different components for variousapplications. Other components, such as network interfaces, securitymechanisms, load balancers, failover servers, management and networkoperations consoles, and the like are not shown so as to not obscure thedetails of the system.

The user profile store 936 maintains information about user accounts,including biographic, demographic, and other types of descriptiveinformation, such as work experience, educational history, hobbies orpreferences, location, and the like that has been declared by users orinferred by the social networking system 930. This information is storedin the user profile store 936 such that each user is uniquelyidentified. The social networking system 930 also stores data describingone or more connections between different users in the connection store938. The connection information may indicate users who have similar orcommon work experience, group memberships, hobbies, or educationalhistory. Additionally, the social networking system 930 includesuser-defined connections between different users, allowing users tospecify their relationships with other users. For example, user-definedconnections allow users to generate relationships with other users thatparallel the users' real-life relationships, such as friends,co-workers, partners, and so forth. Users may select from predefinedtypes of connections, or define their own connection types as needed.Connections with other nodes in the social networking system 930, suchas non-person entities, buckets, cluster centers, images, interests,pages, external systems, concepts, and the like are also stored in theconnection store 938.

The social networking system 930 maintains data about objects with whicha user may interact. To maintain this data, the user profile store 936and the connection store 938 store instances of the corresponding typeof objects maintained by the social networking system 930. Each objecttype has information fields that are suitable for storing informationappropriate to the type of object. For example, the user profile store936 contains data structures with fields suitable for describing auser's account and information related to a user's account. When a newobject of a particular type is created, the social networking system 930initializes a new data structure of the corresponding type, assigns aunique object identifier to it, and begins to add data to the object asneeded. This might occur, for example, when a user becomes a user of thesocial networking system 930, the social networking system 930 generatesa new instance of a user profile in the user profile store 936, assignsa unique identifier to the user account, and begins to populate thefields of the user account with information provided by the user.

The connection store 938 includes data structures suitable fordescribing a user's connections to other users, connections to externalsystems 920 or connections to other entities. The connection store 938may also associate a connection type with a user's connections, whichmay be used in conjunction with the user's privacy setting to regulateaccess to information about the user. In an embodiment of the invention,the user profile store 936 and the connection store 938 may beimplemented as a federated database.

Data stored in the connection store 938, the user profile store 936, andthe activity log 942 enables the social networking system 930 togenerate the social graph that uses nodes to identify various objectsand edges connecting nodes to identify relationships between differentobjects. For example, if a first user establishes a connection with asecond user in the social networking system 930, user accounts of thefirst user and the second user from the user profile store 936 may actas nodes in the social graph. The connection between the first user andthe second user stored by the connection store 938 is an edge betweenthe nodes associated with the first user and the second user. Continuingthis example, the second user may then send the first user a messagewithin the social networking system 930. The action of sending themessage, which may be stored, is another edge between the two nodes inthe social graph representing the first user and the second user.Additionally, the message itself may be identified and included in thesocial graph as another node connected to the nodes representing thefirst user and the second user.

In another example, a first user may tag a second user in an image thatis maintained by the social networking system 930 (or, alternatively, inan image maintained by another system outside of the social networkingsystem 930). The image may itself be represented as a node in the socialnetworking system 930. This tagging action may create edges between thefirst user and the second user as well as create an edge between each ofthe users and the image, which is also a node in the social graph. Inyet another example, if a user confirms attending an event, the user andthe event are nodes obtained from the user profile store 936, where theattendance of the event is an edge between the nodes that may beretrieved from the activity log 942. By generating and maintaining thesocial graph, the social networking system 930 includes data describingmany different types of objects and the interactions and connectionsamong those objects, providing a rich source of socially relevantinformation.

The web server 932 links the social networking system 930 to one or moreuser devices 910 and/or one or more external systems 920 via the network950. The web server 932 serves web pages, as well as other web-relatedcontent, such as Java, JavaScript, Flash, XML, and so forth. The webserver 932 may include a mail server or other messaging functionalityfor receiving and routing messages between the social networking system930 and one or more user devices 910. The messages can be instantmessages, queued messages (e.g., email), text and SMS messages, or anyother suitable messaging format.

The API request server 934 allows one or more external systems 920 anduser devices 910 to call access information from the social networkingsystem 930 by calling one or more API functions. The API request server934 may also allow external systems 920 to send information to thesocial networking system 930 by calling APIs. The external system 920,in one embodiment, sends an API request to the social networking system930 via the network 950, and the API request server 934 receives the APIrequest. The API request server 934 processes the request by calling anAPI associated with the API request to generate an appropriate response,which the API request server 934 communicates to the external system 920via the network 950. For example, responsive to an API request, the APIrequest server 934 collects data associated with a user, such as theuser's connections that have logged into the external system 920, andcommunicates the collected data to the external system 920. In anotherembodiment, the user device 910 communicates with the social networkingsystem 930 via APIs in the same manner as external systems 920.

The action logger 940 is capable of receiving communications from theweb server 932 about user actions on and/or off the social networkingsystem 930. The action logger 940 populates the activity log 942 withinformation about user actions, enabling the social networking system930 to discover various actions taken by its users within the socialnetworking system 930 and outside of the social networking system 930.Any action that a particular user takes with respect to another node onthe social networking system 930 may be associated with each user'saccount, through information maintained in the activity log 942 or in asimilar database or other data repository. Examples of actions taken bya user within the social networking system 930 that are identified andstored may include, for example, adding a connection to another user,sending a message to another user, reading a message from another user,viewing content associated with another user, attending an event postedby another user, posting an image, attempting to post an image, or otheractions interacting with another user or another object. When a usertakes an action within the social networking system 930, the action isrecorded in the activity log 942. In one embodiment, the socialnetworking system 930 maintains the activity log 942 as a database ofentries. When an action is taken within the social networking system930, an entry for the action is added to the activity log 942. Theactivity log 942 may be referred to as an action log.

Additionally, user actions may be associated with concepts and actionsthat occur within an entity outside of the social networking system 930,such as an external system 920 that is separate from the socialnetworking system 930. For example, the action logger 940 may receivedata describing a user's interaction with an external system 920 fromthe web server 932. In this example, the external system 920 reports auser's interaction according to structured actions and objects in thesocial graph.

Other examples of actions where a user interacts with an external system920 include a user expressing an interest in an external system 920 oranother entity, a user posting a comment to the social networking system930 that discusses an external system 920 or a web page 922 a within theexternal system 920, a user posting to the social networking system 930a Uniform Resource Locator (URL) or other identifier associated with anexternal system 920, a user attending an event associated with anexternal system 920, or any other action by a user that is related to anexternal system 920. Thus, the activity log 942 may include actionsdescribing interactions between a user of the social networking system930 and an external system 920 that is separate from the socialnetworking system 930.

The authorization server 944 enforces one or more privacy settings ofthe users of the social networking system 930. A privacy setting of auser determines how particular information associated with a user can beshared. The privacy setting comprises the specification of particularinformation associated with a user and the specification of the entityor entities with whom the information can be shared. Examples ofentities with which information can be shared may include other users,applications, external systems 920, or any entity that can potentiallyaccess the information. The information that can be shared by a usercomprises user account information, such as profile photos, phonenumbers associated with the user, user's connections, actions taken bythe user such as adding a connection, changing user profile information,and the like.

The privacy setting specification may be provided at different levels ofgranularity. For example, the privacy setting may identify specificinformation to be shared with other users; the privacy settingidentifies a work phone number or a specific set of related information,such as, personal information including profile photo, home phonenumber, and status. Alternatively, the privacy setting may apply to allthe information associated with the user. The specification of the setof entities that can access particular information can also be specifiedat various levels of granularity. Various sets of entities with whichinformation can be shared may include, for example, all friends of theuser, all friends of friends, all applications, or all external systems920. One embodiment allows the specification of the set of entities tocomprise an enumeration of entities. For example, the user may provide alist of external systems 920 that are allowed to access certaininformation. Another embodiment allows the specification to comprise aset of entities along with exceptions that are not allowed to access theinformation. For example, a user may allow all external systems 920 toaccess the user's work information, but specify a list of externalsystems 920 that are not allowed to access the work information. Certainembodiments call the list of exceptions that are not allowed to accesscertain information a “block list”. External systems 920 belonging to ablock list specified by a user are blocked from accessing theinformation specified in the privacy setting. Various combinations ofgranularity of specification of information, and granularity ofspecification of entities, with which information is shared arepossible. For example, all personal information may be shared withfriends whereas all work information may be shared with friends offriends.

The authorization server 944 contains logic to determine if certaininformation associated with a user can be accessed by a user's friends,external systems 920, and/or other applications and entities. Theexternal system 920 may need authorization from the authorization server944 to access the user's more private and sensitive information, such asthe user's work phone number. Based on the user's privacy settings, theauthorization server 944 determines if another user, the external system920, an application, or another entity is allowed to access informationassociated with the user, including information about actions taken bythe user.

In some embodiments, the social networking system 930 can include adynamic identification rule module 946. The dynamic identification rulemodule 946 can, for example, be implemented as the dynamicidentification rule module 102 of FIG. 1. The dynamic identificationrule module 946 can be configured to facilitate receiving a set ofaccounts associated with a specified time frame. The dynamicidentification rule module 946 can also be configured to facilitateanalyzing for each account in the set, one or more features and one ormore feature combinations. Further, the dynamic identification rulemodule 946 can be configured to facilitate determining for each accountin the set, feature metrics for the one or more features and the one ormore feature combinations. Moreover, the dynamic identification rulemodule 946 can be configured to facilitate acquiring threshold valuesfor the feature metrics. The dynamic identification rule module 946 canalso be configured to facilitate implementing the at least one rulebeing based on at least some of the feature metrics and at least some ofthe threshold values. Other features of the dynamic identification rulemodule 946 are discussed herein in connection with the dynamicidentification rule module 102 of FIG. 1.

In some embodiments, the social networking system 930 can include adynamic model threshold module 948. The dynamic model threshold module948 can, for example, be implemented as the dynamic model thresholdmodule 502 of FIG. 5. The dynamic model threshold module 948 can beconfigured to facilitate determining a plurality of model scores for aset of accounts. Each model score in the plurality of model scores canbe associated with at least one account in the set of accounts. Thedynamic model threshold module 948 can also be configured to facilitateranking the plurality of model scores in descending order. Further, thedynamic model threshold module 948 can be configured to facilitatedetermining one or more metrics for each model score in the plurality ofmodel scores based on information about the at least one accountassociated with each model score. Moreover, the dynamic model thresholdmodule 948 can be configured to facilitate acquiring specified criteriafor selecting a model threshold utilized in identifying illegitimateaccounts. The specified criteria can be based on at least some of theone or more metrics. The dynamic model threshold module 948 can also beconfigured to facilitate selecting the model threshold as correspondingto a lowest ranked model score that satisfies the specified criteria.Other features of the dynamic model threshold module 948 are discussedherein in connection with the dynamic model threshold module 502 of FIG.5.

Hardware Implementation

The foregoing processes and features can be implemented by a widevariety of machine and computer system architectures and in a widevariety of network and computing environments. FIG. 10 illustrates anexample of a computer system 1000 that may be used to implement one ormore of the embodiments described herein in accordance with anembodiment of the invention. The computer system 1000 includes sets ofinstructions for causing the computer system 1000 to perform theprocesses and features discussed herein. The computer system 1000 may beconnected (e.g., networked) to other machines. In a networkeddeployment, the computer system 1000 may operate in the capacity of aserver machine or a client machine in a client-server networkenvironment, or as a peer machine in a peer-to-peer (or distributed)network environment. In an embodiment of the invention, the computersystem 1000 may be the social networking system 930, the user device910, and the external system 1020, or a component thereof. In anembodiment of the invention, the computer system 1000 may be one serveramong many that constitutes all or part of the social networking system930.

The computer system 1000 includes a processor 1002, a cache 1004, andone or more executable modules and drivers, stored on acomputer-readable medium, directed to the processes and featuresdescribed herein. Additionally, the computer system 1000 includes a highperformance input/output (I/O) bus 1006 and a standard I/O bus 1008. Ahost bridge 1010 couples processor 1002 to high performance I/O bus1006, whereas I/O bus bridge 1012 couples the two buses 1006 and 1008 toeach other. A system memory 1014 and one or more network interfaces 1016couple to high performance I/O bus 1006. The computer system 1000 mayfurther include video memory and a display device coupled to the videomemory (not shown). Mass storage 1018 and I/O ports 1020 couple to thestandard I/O bus 1008. The computer system 1000 may optionally include akeyboard and pointing device, a display device, or other input/outputdevices (not shown) coupled to the standard I/O bus 1008. Collectively,these elements are intended to represent a broad category of computerhardware systems, including but not limited to computer systems based onthe x86-compatible processors manufactured by Intel Corporation of SantaClara, Calif., and the x86-compatible processors manufactured byAdvanced Micro Devices (AMD), Inc., of Sunnyvale, Calif., as well as anyother suitable processor.

An operating system manages and controls the operation of the computersystem 1000, including the input and output of data to and from softwareapplications (not shown). The operating system provides an interfacebetween the software applications being executed on the system and thehardware components of the system. Any suitable operating system may beused, such as the LINUX Operating System, the Apple Macintosh OperatingSystem, available from Apple Computer Inc. of Cupertino, Calif., UNIXoperating systems, Microsoft® Windows® operating systems, BSD operatingsystems, and the like. Other implementations are possible.

The elements of the computer system 1000 are described in greater detailbelow. In particular, the network interface 1016 provides communicationbetween the computer system 1000 and any of a wide range of networks,such as an Ethernet (e.g., IEEE 802.3) network, a backplane, etc. Themass storage 1018 provides permanent storage for the data andprogramming instructions to perform the above-described processes andfeatures implemented by the respective computing systems identifiedabove, whereas the system memory 1014 (e.g., DRAM) provides temporarystorage for the data and programming instructions when executed by theprocessor 1002. The I/O ports 1020 may be one or more serial and/orparallel communication ports that provide communication betweenadditional peripheral devices, which may be coupled to the computersystem 1000.

The computer system 1000 may include a variety of system architectures,and various components of the computer system 1000 may be rearranged.For example, the cache 1004 may be on-chip with processor 1002.Alternatively, the cache 1004 and the processor 1002 may be packedtogether as a “processor module”, with processor 1002 being referred toas the “processor core”. Furthermore, certain embodiments of theinvention may neither require nor include all of the above components.For example, peripheral devices coupled to the standard I/O bus 1008 maycouple to the high performance I/O bus 1006. In addition, in someembodiments, only a single bus may exist, with the components of thecomputer system 1000 being coupled to the single bus. Moreover, thecomputer system 1000 may include additional components, such asadditional processors, storage devices, or memories.

In general, the processes and features described herein may beimplemented as part of an operating system or a specific application,component, program, object, module, or series of instructions referredto as “programs”. For example, one or more programs may be used toexecute specific processes described herein. The programs typicallycomprise one or more instructions in various memory and storage devicesin the computer system 1000 that, when read and executed by one or moreprocessors, cause the computer system 1000 to perform operations toexecute the processes and features described herein. The processes andfeatures described herein may be implemented in software, firmware,hardware (e.g., an application specific integrated circuit), or anycombination thereof.

In one implementation, the processes and features described herein areimplemented as a series of executable modules run by the computer system1000, individually or collectively in a distributed computingenvironment. The foregoing modules may be realized by hardware,executable modules stored on a computer-readable medium (ormachine-readable medium), or a combination of both. For example, themodules may comprise a plurality or series of instructions to beexecuted by a processor in a hardware system, such as the processor1002. Initially, the series of instructions may be stored on a storagedevice, such as the mass storage 1018. However, the series ofinstructions can be stored on any suitable computer readable storagemedium. Furthermore, the series of instructions need not be storedlocally, and could be received from a remote storage device, such as aserver on a network, via the network interface 1016. The instructionsare copied from the storage device, such as the mass storage 1018, intothe system memory 1014 and then accessed and executed by the processor1002. In various implementations, a module or modules can be executed bya processor or multiple processors in one or multiple locations, such asmultiple servers in a parallel processing environment.

Examples of computer-readable media include, but are not limited to,recordable type media such as volatile and non-volatile memory devices;solid state memories; floppy and other removable disks; hard diskdrives; magnetic media; optical disks (e.g., Compact Disk Read-OnlyMemory (CD ROMS), Digital Versatile Disks (DVDs)); other similarnon-transitory (or transitory), tangible (or non-tangible) storagemedium; or any type of medium suitable for storing, encoding, orcarrying a series of instructions for execution by the computer system1000 to perform any one or more of the processes and features describedherein.

For purposes of explanation, numerous specific details are set forth inorder to provide a thorough understanding of the description. It will beapparent, however, to one skilled in the art that embodiments of thedisclosure can be practiced without these specific details. In someinstances, modules, structures, processes, features, and devices areshown in block diagram form in order to avoid obscuring the description.In other instances, functional block diagrams and flow diagrams areshown to represent data and logic flows. The components of blockdiagrams and flow diagrams (e.g., modules, blocks, structures, devices,features, etc.) may be variously combined, separated, removed,reordered, and replaced in a manner other than as expressly describedand depicted herein.

Reference in this specification to one embodiment“, an embodiment”,“other embodiments”, one series of embodiments“, some embodiments”,“various embodiments”, or the like means that a particular feature,design, structure, or characteristic described in connection with theembodiment is included in at least one embodiment of the disclosure. Theappearances of, for example, the phrase “in one embodiment” or “in anembodiment” in various places in the specification are not necessarilyall referring to the same embodiment, nor are separate or alternativeembodiments mutually exclusive of other embodiments. Moreover, whetheror not there is express reference to an “embodiment” or the like,various features are described, which may be variously combined andincluded in some embodiments, but also variously omitted in otherembodiments. Similarly, various features are described that may bepreferences or requirements for some embodiments, but not otherembodiments.

The language used herein has been principally selected for readabilityand instructional purposes, and it may not have been selected todelineate or circumscribe the inventive subject matter. It is thereforeintended that the scope of the invention be limited not by this detaileddescription, but rather by any claims that issue on an application basedhereon. Accordingly, the disclosure of the embodiments of the inventionis intended to be illustrative, but not limiting, of the scope of theinvention, which is set forth in the following claims.

What is claimed is:
 1. A computer-implemented method comprising:determining, by a computing system, for a set of accounts, one or morefeature combinations associated with one or more features relating tothe set of accounts; generating, by the computing system, featuremetrics for the one or more feature combinations, the feature metricsbased at least in part on a number of disabled accounts in the set ofaccounts; determining, by the computing system, threshold values basedat least in part on the feature metrics; and applying, by the computingsystem, at least one rule for dynamically identifying accounts as beingillegitimate, the at least one rule based at least in part on thethreshold values.
 2. The computer-implemented method of claim 1, whereinthe number of disabled accounts in the set of accounts includes at leastone of a manually disabled account or a disabled new account.
 3. Thecomputer-implemented method of claim 1, further comprising: identifyinga particular account not included in the set of accounts; determiningthat the particular account is associated with the one or more featurecombinations; determining one or more assessment metrics based at leastin part on the feature metrics; and determining the particular accountis illegitimate based on the at least one rule when the one or moreassessment metrics satisfy at least one of the threshold values.
 4. Thecomputer-implemented method of claim 3, wherein the one or moreassessment metrics are associated with at least one of a ratio of anumber of manually disabled new accounts relative to a number ofdisabled new accounts, a number of new accounts, or a ratio of thenumber of disabled new accounts relative to the number of new accounts.5. The computer-implemented method of claim 1, wherein the thresholdvalues include a first threshold value associated with a ratio of anumber of manually disabled new accounts relative to a number ofdisabled new accounts, a second threshold value associated with a numberof new accounts, and a third threshold value associated with a ratio ofa number of disabled new accounts relative to a number of new accounts.6. The computer-implemented method of claim 1, wherein the set ofaccounts corresponds to a set of advertiser accounts.
 7. Thecomputer-implemented method of claim 1, wherein the one or more featuresinclude at least one of an advertisement title, an advertisement image,an advertisement landing page identifier, a social networking systemidentifier for an advertisement landing page component, an advertisementbody text portion, an advertisement landing page domain, a sourceinternet protocol (IP), a credit card identification number, a latestadministered page name, a campaign name, a user agent, or anadvertisement image identifier.
 8. The computer-implemented method ofclaim 1, wherein at least one of the one or more feature combinationsincludes a default source country, a campaign currency, and a creditcard identification number.
 9. The computer-implemented method of claim1, wherein the threshold values include a first set of threshold valuesand a second set of threshold values, wherein threshold values in thefirst set are higher than threshold values in the second set, andwherein the first set of threshold values is associated with automaticdisablement, and the second set of threshold values is associated withmanual review.
 10. The computer-implemented method of claim 1, whereinthe set of accounts is associated with a specified time period.
 11. Asystem comprising: at least one processor; and a memory storinginstructions that, when executed by the at least one processor, causethe system to perform: determining for a set of accounts, one or morefeature combinations associated with one or more features relating tothe set of accounts; generating feature metrics for the one or morefeature combinations, the feature metrics based at least in part on anumber of disabled accounts in the set of accounts; determiningthreshold values based at least in part on the feature metrics; andapplying at least one rule for dynamically identifying accounts as beingillegitimate, the at least one rule based at least in part on thethreshold values.
 12. The system of claim 11, wherein the number ofdisabled accounts in the set of accounts includes at least one of amanually disabled account or a disabled new account.
 13. The system ofclaim 11, further comprising: identifying a particular account notincluded in the set of accounts; determining that the particular accountis associated with the one or more feature combinations; determining oneor more assessment metrics based at least in part on the featuremetrics; and determining the particular account is illegitimate based onthe at least one rule when the one or more assessment metrics satisfy atleast one of the threshold values.
 14. The system of claim 13, whereinthe one or more assessment metrics are associated with at least one of aratio of a number of manually disabled new accounts relative to a numberof disabled new accounts, a number of new accounts, or a ratio of thenumber of disabled new accounts relative to the number of new accounts.15. The system of claim 11, wherein the threshold values include a firstthreshold value associated with a ratio of a number of manually disablednew accounts relative to a number of disabled new accounts, a secondthreshold value associated with a number of new accounts, and a thirdthreshold value associated with a ratio of a number of disabled newaccounts relative to a number of new accounts.
 16. A non-transitorycomputer-readable storage medium including instructions that, whenexecuted by at least one processor of a computing system, cause thecomputing system to perform: determining for a set of accounts, one ormore feature combinations associated with one or more features relatingto the set of accounts; generating feature metrics for the one or morefeature combinations, the feature metrics based at least in part on anumber of disabled accounts in the set of accounts; determiningthreshold values based at least in part on the feature metrics; andapplying at least one rule for dynamically identifying accounts as beingillegitimate, the at least one rule based at least in part on thethreshold values.
 17. The non-transitory computer-readable storagemedium of claim 16, wherein the number of disabled accounts in the setof accounts includes at least one of a manually disabled account or adisabled new account.
 18. The non-transitory computer-readable storagemedium of claim 16, further comprising: identifying a particular accountnot included in the set of accounts; determining that the particularaccount is associated with the one or more feature combinations;determining one or more assessment metrics based at least in part on thefeature metrics; and determining the particular account is illegitimatebased on the at least one rule when the one or more assessment metricssatisfy at least one of the threshold values.
 19. The non-transitorycomputer-readable storage medium of claim 18, wherein the one or moreassessment metrics are associated with at least one of a ratio of anumber of manually disabled new accounts relative to a number ofdisabled new accounts, a number of newaccounts, or a ratio of the numberof disabled new accounts relative to the number of new accounts.
 20. Thenon-transitory computer-readable storage medium of claim 16, wherein thethreshold values include a first threshold value associated with a ratioof a number of manually disabled new accounts relative to a number ofdisabled new accounts, a second threshold value associated with a numberof new accounts, and a third threshold value associated with a ratio ofa number of disabled new accounts relative to a number of new accounts.